CIA, Mossad, Also Targeted in Massive DigiNotar Cert Breach

Share

CIA, Mossad, Also Targeted in Massive DigiNotar Cert Breach

The list of fraudulent certificates obtained by hackers who breached a Dutch certificate authority has grown to more than 500 and includes certificates for domains owned by three intelligence agencies: the CIA, Israel's Mossad and the UK's MI6.

DigiNotar, which is owned by Illinois-based Vasco Data Security, also lacked basic security safeguards, such as strong passwords, anti-virus protection, up-to-date software patches, according to a third-party audit conducted by security firm Fox-IT in the Netherlands, released Monday.

DigiNotar acknowledged last week that it became aware it had been breached on July 19, though it has never disclosed how long the hackers were inside its network before they were discovered.

DigiNotar is one of numerous firms around the world that generate security certificates for internet entities. The certificates authenticate web pages using the Secure Socket Layer protocol so that users can trust that their encrypted communication is going to the correct location. Anyone who manages to steal a certificate - such as criminals or government agents - can impersonate a legitimate site to steal log-in credentials and read a user's communications.

Since news of the DigiNotar breach broke last week, the list of fraudulent certificates the hackers obtained has grown to at least 531, all of which have been disclosed by parties other than DigiNotar. The company has been heavily criticized for failing to honestly communicate the depth of its breach or disclose the fraudulent certificates to browser makers so they could block them.

In addition to the intelligence agencies, the list of victims to date has included internet giants like Mozilla, Yahoo, Skype, Facebook, Twitter as well as the Tor privacy and anonymizing service and even Microsoft's Windows Update service, according to Computer World. Certificates issued for Dutch government domains are also believed to have been compromised in the hack.

The Minister of the Interior for the Netherlands said on Saturday that the government could no longer guarantee the security of its websites and urged the public not to log into into them until new certificates could be obtained from other issuing authorities.

DigiNotar acknowledged the breach only after reports began circulating from people in Iran who claimed they were getting browser error messages when they tried to load the Gmail website. Google subsequently confirmed that a fraudulent Google certificate issued to a non-Google entity was operating in the wild, allowing someone to conduct a man-in-the-middle attack to intercept Gmail browsing.

DigiNotar admitted that the hackers who breached its network had obtained certificates for an undisclosed number of domains, but wouldn't identify the victims. The company has said only that a third-party audit had uncovered a list of certificates the hackers obtained, all of which were subsequently revoked. DigiNotar acknowledged, however, that the auditor had somehow missed the certificate that the hackers had obtained for Google. That certificate was finally revoked last week after Google disclosed its existence in the wild.

Browser makers Google, Mozilla and Microsoft announced this weekend that they would be permanently blocking all digital certificates issued by DigiNotar, suggesting a complete loss of trust in the integrity of its service.

"Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar," Heather Adkins, a Google information security manager, wrote in a post to the company's blog.

Fox-IT's audit report on DigiNotar's security called the network "severely breached" and revealed that hackers were in DigiNotar's network as early as June 6. According to the report, DigiNotar had maintained all of the servers it used for issuing certificates on a single Windows domain, accessible with a user name and password that were easily bruteforced. The auditors also found malicious software on DigiNotar's most critical servers - malware that should have been easily detected by anti-virus software. The auditors said that some of DigiNotar's server logs had been deleted, which made it difficult for the company to compile a complete list of the fraudulent certificates the hackers had issued.

There has been speculation that the Iranian government was behind the hack after users in Iran revealed that someone in that country was using the fake Google certificate issued by DigiNotar to trick users into revealing their Gmail login credentials. According to Fox-IT's audit, some 300,000 unique IP addresses in Iran may have accessed web sites that used the fraudulent certificate.

"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran," Fox-IT wrote.

But over the weekend, a hacker who previously claimed credit for breaching Comodo, another certificate authority, earlier in the year claimed responsibility for the DigiNotar breach as well. The hacker, who in the past has identified himself as a 21-year-old Iranian student, claimed he got root access to DigiNotar after obtaining an administrator's username (Production/Administrator) and password (Pr0d@dm1n). He also claimed to have breached four other certificate authorities, including GlobalSign. Global Sign said in a tweet on Tuesday that it is investigating the claim.

The hacker claimed the attack was retaliation for the Dutch government's indirect role in the death of 8,000 Serbian Muslims in 1995.